The clonephishing analysis focuses on looking at the rhetorical situation to understand the context of the emails and assessing the use of the rhetorical appeals to gauge the clonephishing email's effectiveness. While this analysis broaches the rhetorical situation and appeals, it focuses heavily on the idea of simulation. I cover the Podesta email leak at the end, digging a bit deeper into the social implications of what it means to be phished as a prominent political figure and how we can learn from these attacks.
A clonephishing attack takes an email and attempts to replicate it as close to the original as possible while changing the links to malicious sites. The sender's email address is generally spoofed, so it looks even more legitimate to the unaware. These attacks mimic requests to share documents through places like Google Drive, DocuSign, or Dropbox, prompting users to enter login credentials and allowing attackers to access their files. They also mimic password resets or other types of account messages. A classic clonephish is the eBay member message, which copies the old eBay emails almost precisely, with an almost-too-real irate customer messaging about where their item is that they paid for and haven't received. While those can also be considered bulk phishing due to their mass mailing, the cloning aspect of the email solidifies their position as mimicry. It explains why they work incredibly well versus other types of bulk phishing.
Others rely on the victim to open a link for a shared document, such as the case in DocuSign/HelloFax spoofs, in which an urgent situation is created by requesting a signature or fax review. Invoices are another popular clonephishing tactic, as copies of legitimate emails are readily available and easy to fake. This Apple invoice pretends to confirm an order that will ship within 24 hours:
Clonephishing emails must rely on existing brand ethos to be successful. Because phishers are not constructing text (or rather, they shouldn't be for a true clonephish,) the attacks usually rely on an existing business relationship to be successful. For example, this eBay clonephish's ethos is constructed through eBay's wording in the communication itself, as well as following the layout of emails from eBay during that period:
Using eBay's terminology and warnings about email spoofing, the phisher creates ethos through eBay's reputation and business practices. For example, the email states, "Learn how you can protect yourself from spoof (fake) emails at: http://pages.ebay.com/education/spooftutorial." However, the link redirects to a malicious site.
Interestingly, the link which informs the recipient that they can change their notification preferences is legitimate. Perhaps this was done to quell any suspicion that may have arisen, but it may have just been an oversight. Because this email presents as a message from an angry customer named Bluebellvue, the opportunity for the attacker to use emotional language arises. In the message field, Bluebellvue writes,
"I don't understand why you are not answering back.I have made the payment and you said you will provide a tracking number after the payment is done.If you don't replay I am assuring you I will report you at eBay.I am sorry for that but you gave me no choice.Waiting for your answer asap. Thank you!"
The immediate gut reaction intended is to make the recipient panic - how could they have missed all of these emails from Bluebellvue? Indeed if the recipient were selling something, they wouldn't have intended to make someone panic. This language also instills fear of retaliation since the angry customer threatens to report the recipient to eBay, having implications both as a seller and a buyer on the eBay platform. What potentially damages the ethos of this emotionally-charged message is the text below, which states, "this message was sent while the listing was active. bluebellvue is a potential buyer." If this was true, then why would Bluebellvue have stated they paid?
Suppose it was a mistake on their part. In that case, it's believable enough, even with poor grammar and punctuation, because it's expected someone upset enough to write a message like this (while the listing was still active) would not have the patience to proofread. The email backs up their claim further by listing the specific item number and a link (albeit malicious) to the listing itself. Regardless of whether the message mentioned it was sent while the listing was active was an oversight or a purposeful intent to get you to click, the combination of mimicry and artful rhetorical appeal usage makes the eBay example a successful clonephish.
This example shows a DocuSign phish, which also relies on brand ethos to be successful. The email is recreated identically to an actual DocuSign email. Since DocuSign and other document companies allow personal messages to be written, there is an element of personalization available. In this example, the email reads, "Dear Recipient, please sign this invoice It is an electronically created notice." The language conventions are impersonal and imply a more personal connection, but the email addresses "Recipient." It's a curious muddling of informal conventions, especially if this is business communication. The attack even goes so far as to include a statement at the end of the email, providing a way to access the document outside of the email: "Please visit DocuSign.com, click on 'Access Documents', enter the security code: 080E7ACAF4."
Since the malicious website was taken down, I can only assume one of two things: the security code is entirely untrue, or the link to click on was a replicated DocuSign website since the code is listed as invalid when entered in DocuSign itself. Since either situation is plausible, this statement only helps boost the email's ethos at face value by providing a specific example of evidence that it's authentic and accessible outside of the email.
Clonephishing emails are closer than other phishing emails to a representation of the simulacrum - a copy of something that no longer has an original, or in this case, a copy of something that has never had an original. To demonstrate this, I'm going to discuss the famous Podesta email. If you are unfamiliar with this specific phishing email, it was responsible for one of the most significant controversies in the 2016 presidential campaign. Aside from accusations of collusion, Russian Interference (or rather, the spectacle of Russian Interference,) and conversations that remove the veil that classified the Democratic elite as "common people," the compromise of Podesta's account shows the inner workings of Hillary Clinton's presidential campaign and have impacted how the public perceives politicians' authenticity.
It's also created an even bigger spectre of Russian Hackers than before. In a sense, the release of these emails started a progression of blaming Russian Hackers for everything that feels reminiscent of McCarthyism. While there was a concentrated effort on US politicians and defense agencies, knowing that they had targets in 116 countries leads me to believe it was not a matter of focused aggression. It was a success in a long list of targets they were after, some of which included the Pope's Kyiv representative, the punk band Pussy Riot, and numerous Russian journalists and oppositionists. While the breach did have Russian actors, calling Fancy Bear (the group believed to be responsible for the leak) an official arm of Russian Intelligence meant to bring down the United States is founded upon propaganda, a desire for scapegoats, and ultimately a distraction amid all the controversy generated from the breaches themselves.
We can see the clonephish was successful against Podesta for a few reasons. The email succeeded technically because Gmail's spam filter did not detect the bit.ly link. Even though it was a direct copy of one of their emails with a malicious link, the spam filter had no way of telling and letting the email go through uninterrupted. Ultimately, this phishing email was successful inherently due to human error. Charles Delavan, the Hillary For America help desk tech contacted regarding the phishing email, responded to the initial inquiry with, "This is a legitimate email. John needs to change his password immediately, and ensure that two-factor authentication is turned on his account."
Delavan then provides a link to change the password as well. But the compromise that follows indicates that Podesta did not follow Delavan's advice and instead clicked on the link in the phishing email. At this point, the idea of the email being a simulacrum comes into play. Unsurprisingly, Podesta clicked on the link, even though Delavan provided him with a link to change the password. Since their tech support member stated that the email was legitimate, there was no reason for Podesta to believe that the link contained in the phishing email was dangerous. Comparing the Podesta phishing email to a legitimate email I received on one of my accounts after I tried to sign in while away from home, we see that it has nearly every marker of a legitimate Gmail email, from language to colors and styling:
The phishing email states that Google is contacting them because someone used their password to try and sign in to their Google account from Ukraine and that the user should change their password to avoid becoming compromised. Much like the legitimate email I received from Google, it notified me that someone had used my password to sign into my Google account. The only difference seems to be that the phishing email states an IP address. In contrast, the official email does not provide that information but says that "the location is approximate and determined by the IP address it was coming from." This added IP creates a scenario where the phishing email becomes even more believable due to providing an IP address.
The phishing email's "from" tag is listed as "firstname.lastname@example.org." Legitimate account notices come from "email@example.com." The likeness is so close that it's unsurprising this was overlooked when determining whether the email is authentic. Whether or not the phishers missed this small detail or were unable to spoof the address properly is undetermined. Still, they were close enough to where that minute detail did not render the email ineffective. The signature is also slightly off, with the phishing email stating "Best, The Gmail team," where the legitimate email says, "Best, the Google Accounts Team."
In the end, the phishing email that tricked Podesta became hyperreal. First, multiple parties accepted its existence as authentic and passed the first order - a "good appearance" of an alert email from Google. But because the email is a phishing attempt, it passes the second order by "masking and denaturing" the email's intentions. That mask has become its own "sorcery," removing the profound reality that the email is legitimate and from Google and fulfills the third order. And finally, because it has become a simulation with no reality that matches the intent of the "good appearance," it has become a simulation. Thus, the email has become a simulacrum with the four steps fulfilled.
Because the email had become a simulacrum to Delavan, there was no indication that it shouldn't have been treated as a phishing attempt. I would venture to say that this is how many of these clonephishing emails operate, especially emails that remain as close to the source material as possible. The trouble with attempting to teach people about these types of phishing emails then is not one where we can point out typical markers such as poor grammar or an improper email header. Indeed, those things did exist in the Podesta phishing email, but the variations were so minor that it is incredibly easy to look over. The focus on educating about clonephishing then relies on challenging the default setting when reviewing emails in general and perhaps adopting a sort of paranoia about every message you get. While it may sound extreme, we are a bit too trusting in giving out our information as willingly as we do.
Please continue on to the malspam analysis.